Menu
How to Generate a CSR for Nginx (OpenSSL) 1. Log in to your server’s terminal. Enter CSR and Private Key command. Enter your CSR details. Generate the order.
- How to Generate a CSR for Apache Web Server Using OpenSSL The following instructions will guide you through the CSR generation process on Apache OpenSSL. To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article.
- Mar 12, 2019 Generate the new key and CSR. If you have not already, copy the contents of the example openssl.cnf file above into a file called ‘openssl.cnf’ somewhere. Make note of the location. Also make sure you update the DN information (Country, State, etc.) Create a new key.
What is a SAN
A SAN is a Subject Alternative Name, and as the name implies it serves as a secondary (or tertiary, etc.) DNS name that your web application could be identified as. This is useful in the context of web farms behind a reverse proxy, load-balancing solutions, etc.
For example:
Modern Browsers will show an SSL certificate as invalid if a proper SAN is not included, so it’s best practice for us to be in the habit of including SANs in our CSRs.
How to include a SAN
Because we want to include a SAN (Subject Alternative Name) in our CSR (and certificate), we need to use a customized openssl.cnf file.
While you could edit the ‘openssl req’ command on-the-fly with a tool like ‘sed’ to make the necessary changes to the openssl.cnf file, I will walk through the step of manually updating the file for clarity.
Example openssl.cnf file
Note that the subjectAltName declaration calls an array called @alt_names, which is defined at the bottom of the file.
To include a single SAN in your CSR, update the ‘DNS’ declaration to the appropriate value (in this example, ‘webserver1.scriptech.io’), and leave the DNS.x declarations commented out (#). The result is an @alt_names array with a single entry.
To include multiple SANS in your CSR, comment out (#) the ‘DNS’ declaration, and uncomment the DNS.x declarations that you need. For example, your [alt_names] section would look like:
The result is an @alt_names array with multiple entries.
Generate the new key and CSR
If you have not already, copy the contents of the example openssl.cnf file above into a file called ‘openssl.cnf’ somewhere. Make note of the location.
Openssl Generate Cert From Csr
Also make sure you update the DN information (Country, State, etc.)
Create a new key
Create a new CSR
Verify the CSR
To view the contents of your new CSR, use the following command:
This example shows a single SAN which I included in my openssl.cnf file.
Sign the CSR
Now that you have your properly-formatted CSR, you need to sign it using a Trusted Root Certificate Authority. Depending on your context, this could be a third-party CA like DigiCert or GoDaddy, or it could be an internal Certificate Authority (OpenSSL CA, Active Directory Certificate Services)
Generate Csr With Existing Key Openssl
The contents of a certificate in the openssl format can be viewed with the following command: